http://0x191unauthorized.blogspot.com/2011/08/reverse-shell-through-dll-injection.html

1. xxxx.idl 파일 제작

2. idl 파일 프로젝트에 추가 (별도의 프로젝트로 작성할 필요 없이 사용할 프로젝트에 idl 파일만 추가),

3. 빌드 후 생성되는 xxxx.h 파일 프로젝트에 추가, 사용할 파일에서 include

4. xxxx.idl 파일 - 속성 - MDIL - 일반 메뉴에서 MkTypLib 호환 "아니오" 로 수정 이거 안하면

오류 1 error MIDL2311 : statements outside library block are illegal in mktyplib compatability mode :

위와 같은 오류 발생

5. xxxx_i.c 파일에서 아래 정의를 사용할 파일에 정의

#define MIDL_DEFINE_GUID(type, name, .................)\

const type name = {...............}

MIDL_DEFINE_GUID(IID, ..................)

An ADO application does not run on down-level operating systems after you recompile it on a computer that is running Windows 7 SP 1 or Windows Server 2008 R2 SP 1 or that has KB983246 installed

On This Page

• SYMPTOMS
• CAUSE
• WORKAROUND
  • Method 1
    • For 32-bit computers
    • For AMD 64 computers
    • For IA64 computers
    • Downloads
    • For C++ developers
    • For Visual Basic 6 developers
  • Method 2
• MORE INFORMATION

Expand all | Collapse all

SYMPTOMS

Consider the following scenario. On a computer that is running Windows 7 Service...

Consider the following scenario. On a computer that is running Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP 1 or that has KB9823246 installed, you recompile a Microsoft ActiveX Data Objects (ADO) application by using one of the following applications:

• Microsoft Visual C++
• Microsoft Visual Basic for Applications (VBA)
• Microsoft Visual Basic 6
• Microsoft .NET applications

In this scenario, you find that the application does not run on down-level operating systems. For example, it does not run on the release version of Windows 7, on Windows Vista, and on other earlier versions of Windows. Depending on your implementation, you also receive an error message that resembles one of the following. (You may receive other error messages.)

Error message 1

REGDB_E_CLASSNOTREG (0x80040154)

Error message 2

E_POINTER (0x80004003)

Error message 3

E_NOINTERFACE (0x80004002)

Error message 4

Unable to cast COM object of type 'System.__ComObject' to interface type 'ADODB.Connection'. This operation failed because the QueryInterface call on the COM component for the interface with IID '{00001550-0000-0010-8000-00AA006D2EA4}' failed due to the following error: No such interface supported (Exception from HRESULT: 0x80004002 (E_NOINTERFACE)).”

The following Visual C++ code segment replicates this issue.

#import " msado15.dll" no_namespace rename("EOF","EndOfFile")
 
int main()
{
  CoInitialize(NULL);
  _ConnectionPtr pConnection = NULL;
     HRESULT hr = pConnection.CreateInstance(__uuidof(Connection)); //hr gets E_NOINTERFACE here
}

The following Visual Basic for Applications code segment replicates this issue.

Private Sub Form_Load()
 Dim Conn As New ADODB.Connection ‘Runtime error here: Class does not support Automation or does not support expected interface
End Sub

VBA Error:Run-time error '430': Class does not support Automation or does not support expected interface

Note Microsoft no longer supports the primary interop assembly for ADO and no longer supports Visual Basic 6. For more information about Visual Basic 6 supportability, visit the following MSDN webpage:

Support Statement for Visual Basic 6.0 on Windows Vista, Windows Server 2008 and Windows 7 (http://msdn.microsoft.com/en-us/vbasic/ms788708.aspx)

For more information about the primary interop assembly for ADO supportability, click the following article number to view the article in the Microsoft Knowledge Base:

318559  (http://support.microsoft.com/kb/318559/ ) Using the primary interop assembly for ADO (ADODB) in Visual Studio .NET

Back to the top

CAUSE

This issue occurs because some ADO interfaces were changed in Windows 7 SP1 to b...

This issue occurs because some ADO interfaces were changed in Windows 7 SP1 to be associated with new instance identifiers (IIDs). The older IID interfaces were assigned the following suffix:

_Deprecated

For example, the interface _Connection was updated as follows:

• In Windows 7 and in earlier versions of Windows, the _Connection IID is 00000550-0000-0010-8000-00AA006D2EA4.
• In Windows 7 SP1, the _Connection IID is 00001550-0000-0010-8000-00AA006D2EA4, and the IID for _Connection_Deprecated is 00000550-0000-0010-8000-00AA006D2EA4.

If your application uses early binding to _Connection, the new IID is stored in the application binary during compilation. This causes an error when the application runs on a down-level operating system because the IID does not exist.

Some ADO APIs are platform-dependent in ADO 2.7 and in later versions. On 64-bit versions of Windows, these ADO APIs process arguments by using a 64-bit data type (such as the LONGLONG data type). However, applications that use these APIs still use the LONG data type. Therefore, you receive a "Type Mismatch" error message when you try to run the macro.

Back to the top

WORKAROUND

To work around this issue, use one of the following methods. Method 1To work aro...

To work around this issue, use one of the following methods.

Back to the top

Method 1

To work around this issue for Visual C++ applications, for Visual Basic 6 applications, and for Microsoft .NET applications, follow these steps.

Notes

• Method 2 does not apply VBA to applications. The compiled Access file (*.mde or *.accde) has to read the downloaded typelib (.tlb) file at runtime, and it is unlikely that the downloaded .tlb file will be present on end-user computers.
• To download files, go to the "Downloads" subsection of this section.
• Running the CMD prompt as an Administrator during the registration process for the type library may be necessary on the Windows 7 machines.

For 32-bit computers

1. Download Msado60_Backcompat_i386.tlb to a local directory (e.g. C:\temp).
2. Copy the downloaded file to a deployed directory. For example:
   C:\temp\Msado60_Backcompat_i386.tlb "%CommonProgramFiles%\System\ado\Msado60_Backcompat.tlb"
3. Register the downloaded file on the system. For example:
   %windir%\Microsoft.NET\Framework\v4.0.30319\regtlibv12 "%CommonProgramFiles%\System\ado\msado60_Backcompat.tlb"
   
   Note Adjust the path for regtlbv12.exe if the .NET Framework 4.0 was not installed on the system.
4. Verify that the following registry key was created:
   HKEY_CLASSES_ROOT\TypeLib\{0C0FF45D-87C8-4333-9075-3D9B4D64F9FC}\6.0
5. Verify that the following registry value is pointing to "%CommonProgramFiles%\System\ado\Msado60_Backcompat.tlb" (the path in the registry may be expanded into an absolute path):
   HKEY_CLASSES_ROOT\TypeLib\{0C0FF45D-87C8-4333-9075-3D9B4D64F9FC}\6.0\0\win32

For AMD 64 computers

1. Download Msado60_Backcompat_i386.tlb to a local directory (e.g. C:\temp).
2. Download Msado60_Backcompat_x64.tlb to a local directory (e.g. C:\temp).
3. Copy the downloaded files to a deployed directory. For example:
   
   C:\Temp\Msado60_Backcompat_i386.tlb "%CommonProgramFiles(x86)%\System\ado\Msado60_Backcompat.tlb"
   C:\Temp\Msado60_Backcompat_x64.tlb "%CommonProgramFiles%\System\ado\msado60_Backcompat.tlb"
4. Register the downloaded files on the system. For example:
   
   %windir%\Microsoft.NET\Framework\v4.0.30319\regtlibv12 "%CommonProgramFiles%\System\ado\Msado60_Backcompat.tlb"
   %windir%\Microsoft.NET\Framework\v4.0.30319\regtlibv12 "%CommonProgramFiles(x86)%\System\ado\Msado60_Backcompat.tlb"
   
   Note Adjust the path for regtlbv12.exe if the .NET Framework 4.0 was not installed on the system.
5. Verify that the following registry key was created:
   HKEY_CLASSES_ROOT\TypeLib\{0C0FF45D-87C8-4333-9075-3D9B4D64F9FC}\6.0
6. Verify that the following registry value is pointing to "%CommonProgramFiles(x86)%\System\ado\msado60_Backcompat.tlb" (the path in the registry may be expanded into an absolute path):
   HKEY_CLASSES_ROOT\TypeLib\{0C0FF45D-87C8-4333-9075-3D9B4D64F9FC}\6.0\0\win32
7. Verify that the following registry value is pointing to "%CommonProgramFiles%\System\ado\msado60_Backcompat.tlb" (the path in the registry may be expanded into an absolute path):
   HKEY_CLASSES_ROOT\TypeLib\{0C0FF45D-87C8-4333-9075-3D9B4D64F9FC}\6.0\0\win64

For IA64 computers

Use the same procedure as for AMD64 computers, but download Msado60_Backcompat_ia64.tlb instead of Msado60_Backcompat_x64.tlb.

Downloads

• Msado60_Backcompat_i386.tlb (http://download.microsoft.com/download/6/4/3/64318ED2-7E18-4A5C-80E2-9BDA0DF02DB3/msado60_Backcompat_i386.tlb)
• Msado60_Backcompat_x64.tlb (http://download.microsoft.com/download/6/4/3/64318ED2-7E18-4A5C-80E2-9BDA0DF02DB3/msado60_Backcompat_x64.tlb)
• Msado60_Backcompat_ia64.tlb (http://download.microsoft.com/download/6/4/3/64318ED2-7E18-4A5C-80E2-9BDA0DF02DB3/msado60_Backcompat_ia64.tlb)

For C++ developers

1. Replace line 1 with line 2:

   1. #import "msado15.dll" no_namespace rename("EOF","EndOfFile")

   2. #import "msado60_Backcompat.tlb" no_namespace rename("EOF","EndOfFile")

2. Recompile the application.

For Visual Basic 6 developers

1. On the Project menu, click References.
2. Click to clear the Microsoft ActiveX Data Objects * Library and Microsoft ActiveX Data Objects Recordset * Library entries.
3. Click to select the Microsoft ActiveX Data Objects 6.0 BackCompat Library entry.
4. Recompile the application.

Back to the top

Method 2

You can change your application so that it uses late binding. For example, you would call the ADO APIs through the IDispatch interface in C++.

Note This workaround does not apply to Visual Basic for Applications applications.

Back to the top

MORE INFORMATION

The following is a complete list of interfaces that have the old IID together wi...

The following is a complete list of interfaces that have the old IID together with the suffix "_Deprecated" that is added to the interface name:

• Interface: ADORecordsetConstruction
• Interface: ConnectionEventsVt
• Interface: _Connection
• Interface: Connection15
• DispInterface: ConnectionEvents
• Interface: _Command
• Interface: Command25
• Interface: Command15
• Interface: Fields
• Interface: Fields20
• Interface: Fields15
• Interface: Field
• Interface: Field15
• Interface: Field20
• Interface: _Parameter
• Interface: Parameters
• Interface: _Record
• Interface: _Recordset
• Interface: Recordset21
• Interface: Recordset20
• Interface: Recordset15
• DispInterface: RecordsetEvents
• Interface: RecordsetEventsVt
• Interface: _Stream

A better solution for the Windows 7 SP1 ADO GUID changes

http://blogs.msdn.com/b/psssql/archive/2011/10/03/yes-we-made-a-mistake-and-are-finally-going-to-fix-it.aspx

http://support.microsoft.com/kb/2517589/en-us

#define _WIN32_DCOM

#include <iostream>
using namespace std;

#include <comdef.h>
#include <Wbemidl.h>

#pragma comment(lib, "wbemuuid.lib")

class WMIQuery
{
   IWbemLocator* m_pLocator;
   IWbemServices* m_pServices;

public:
   WMIQuery():
      m_pLocator(NULL),
      m_pServices(NULL)
   {
   }

   bool Initialize()
   {
      // Obtain the initial locator to WMI
      HRESULT hr = ::CoCreateInstance(
         CLSID_WbemLocator,
         0,
         CLSCTX_INPROC_SERVER,
         IID_IWbemLocator, (LPVOID *) &m_pLocator);

      if (FAILED(hr))
      {
         cerr << "Failed to create IWbemLocator object. Err code = 0x" << hex << hr << endl;
         return false;
      }

      // Connect to WMI through the IWbemLocator::ConnectServer method
      // Connect to the root\cimv2 namespace with the current user
      hr = m_pLocator->ConnectServer(
         _bstr_t(L"ROOT\\CIMV2"), // Object path of WMI namespace
         NULL,                    // User name. NULL = current user
         NULL,                    // User password. NULL = current
         0,                       // Locale. NULL indicates current
         NULL,                    // Security flags.
         0,                       // Authority (e.g. Kerberos)
         0,                       // Context object
         &m_pServices             // pointer to IWbemServices proxy
         );

      if (FAILED(hr))
      {
         cerr << "Could not connect. Error code = 0x" << hex << hr << endl;
         m_pLocator->Release();
         m_pLocator = NULL;
         return false;
      }

      // Set security levels on the proxy
      hr = ::CoSetProxyBlanket(
         m_pServices,                 // Indicates the proxy to set
         RPC_C_AUTHN_WINNT,           // RPC_C_AUTHN_xxx
         RPC_C_AUTHZ_NONE,            // RPC_C_AUTHZ_xxx
         NULL,                        // Server principal name
         RPC_C_AUTHN_LEVEL_CALL,      // RPC_C_AUTHN_LEVEL_xxx
         RPC_C_IMP_LEVEL_IMPERSONATE, // RPC_C_IMP_LEVEL_xxx
         NULL,                        // client identity
         EOAC_NONE                    // proxy capabilities
         );

      if (FAILED(hr))
      {
         cerr << "Could not set proxy blanket. Error code = 0x" << hex << hr << endl;
         m_pServices->Release();
         m_pServices = NULL;
         m_pLocator->Release();
         m_pLocator = NULL;
         return false;
      }

      return true;
   }

   IEnumWbemClassObject* Query(LPCTSTR strquery)
   {
      IEnumWbemClassObject* pEnumerator = NULL;
      HRESULT hr = m_pServices->ExecQuery(
         bstr_t("WQL"),
         bstr_t(strquery),
         WBEM_FLAG_FORWARD_ONLY | WBEM_FLAG_RETURN_IMMEDIATELY,
         NULL,
         &pEnumerator);

      if (FAILED(hr))
      {
         cerr << "Query for operating system name failed. Error code = 0x" << hex << hr << endl;
         return NULL;
      }

      return pEnumerator;
   }

   ~WMIQuery()
   {
      if(m_pServices != NULL)
      {
         m_pServices->Release();
         m_pServices = NULL;
      }

      if(m_pLocator != NULL)
      {
         m_pLocator->Release();
         m_pLocator = NULL;
      }
   }
};

int _tmain(int argc, _TCHAR* argv[])
{
   HRESULT hres;

   // Initialize COM.
   hres =  ::CoInitializeEx(0, COINIT_MULTITHREADED);
   if (FAILED(hres))
   {
      cout << "Failed to initialize COM library. Error code = 0x" << hex << hres << endl;
      return 1;
   }

   // Set general COM security levels
   hres =  ::CoInitializeSecurity(
      NULL,
      -1,                          // COM authentication
      NULL,                        // Authentication services
      NULL,                        // Reserved
      RPC_C_AUTHN_LEVEL_DEFAULT,   // Default authentication
      RPC_C_IMP_LEVEL_IMPERSONATE, // Default Impersonation
      NULL,                        // Authentication info
      EOAC_NONE,                   // Additional capabilities
      NULL                         // Reserved
      );

   if (FAILED(hres))
   {
      cout << "Failed to initialize security. Error code = 0x" << hex << hres << endl;
      ::CoUninitialize();
      return 1;
   }
   else
   {
      WMIQuery query;
      if(query.Initialize())
      {
         IEnumWbemClassObject* pEnumerator = query.Query(_T("SELECT * FROM Win32_SystemEnclosure"));

         if(pEnumerator != NULL)
         {
            // Get the data from the query
            IWbemClassObject *pclsObj;
            ULONG uReturn = 0;

            while (pEnumerator)
            {
               HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);

               if(0 == uReturn)
               {
                  break;
               }

               VARIANT vtProp;

               hr = pclsObj->Get(L"Name", 0, &vtProp, 0, 0);
               wcout << "Name:    " << vtProp.bstrVal << endl;

               hr = pclsObj->Get(L"ChassisTypes", 0, &vtProp, 0, 0);
               wcout << "Chassis: ";
               SAFEARRAY* parrValues = NULL;

               if (vtProp.vt & VT_ARRAY)
               {
                  if (VT_BYREF & vtProp.vt)
                     parrValues = *vtProp.pparray;
                  else
                     parrValues = vtProp.parray;
               }

               if (parrValues != NULL)
               {
                  SAFEARRAYBOUND arrayBounds[1];
                  arrayBounds[0].lLbound = 0;
                  arrayBounds[0].cElements = 0;

                  SafeArrayGetLBound(parrValues, 1, &arrayBounds[0].lLbound);
                  SafeArrayGetUBound(parrValues, 1, (long*)&arrayBounds[0].cElements);
                  arrayBounds[0].cElements -= arrayBounds[0].lLbound;
                  arrayBounds[0].cElements += 1;

                  if (arrayBounds[0].cElements > 0)
                  {
                     for (ULONG i = 0; i < arrayBounds[0].cElements; i++)
                     {
                        LONG lIndex = (LONG)i;
                        INT item;

                        HRESULT hr = ::SafeArrayGetElement(parrValues, &lIndex, &item);

                        if(SUCCEEDED(hr))
                        {
                           LPCTSTR szType = NULL;
                           switch(item)
                           {
                           case 1: szType = _T("Other"); break;
                           case 2: szType = _T("Unknown"); break;
                           case 3: szType = _T("Desktop"); break;
                           case 4: szType = _T("Low Profile Desktop"); break;
                           case 5: szType = _T("Pizza Box"); break;
                           case 6: szType = _T("Mini Tower"); break;
                           case 7: szType = _T("Tower"); break;
                           case 8: szType = _T("Portable"); break;
                           case 9: szType = _T("Laptop"); break;
                           case 10:szType = _T("Notebook"); break;
                           case 11:szType = _T("Hand Held"); break;
                           case 12:szType = _T("Docking Station"); break;
                           case 13:szType = _T("All in One"); break;
                           case 14:szType = _T("Sub Notebook"); break;
                           case 15:szType = _T("Space-Saving"); break;
                           case 16:szType = _T("Lunch Box"); break;
                           case 17:szType = _T("Main System Chassis"); break;
                           case 18:szType = _T("Expansion Chassis"); break;
                           case 19:szType = _T("SubChassis"); break;
                           case 20:szType = _T("Bus Expansion Chassis"); break;
                           case 21:szType = _T("Peripheral Chassis"); break;
                           case 22:szType = _T("Storage Chassis"); break;
                           case 23:szType = _T("Rack Mount Chassis"); break;
                           case 24:szType = _T("Sealed-Case PC"); break;
                           }
                           wcout << szType;
                           if(i+1 < arrayBounds[0].cElements)
                              wcout << ", ";
                        }
                     }

                     wcout << endl;
                  }
               }

               VariantClear(&vtProp);

               pclsObj->Release();
            }

            pEnumerator->Release();
         }
      }
   }

   ::CoUninitialize();

   return 0;
}

http://mariusbancila.ro/blog/2011/01/05/finding-if-a-computer-is-a-laptop/